2018-2019 Annual Report to Parliament on the Administration of the Privacy Act
Foreword
Each fiscal year, the head of every government institution prepares and submits an annual report to Parliament on the administration of the Privacy Act.
This report is tabled in Parliament in accordance with section 72 of the Privacy Act under the direction of the Minister of National Revenue and the Commissioner of the Canada Revenue Agency (CRA). It describes how the CRA administered and fulfilled its obligations under the Privacy Act between April 1, 2018, and March 31, 2019. The report also discusses emerging trends, program delivery and areas of focus for the year ahead.
The Privacy Act
The Privacy Act came into force on July 1, 1983. It protects the privacy of individuals by outlining strong requirements for collecting, retaining, using, disclosing and disposing of personal information held by government institutions. It provides individuals (or their authorized representatives) with a right of access to their own personal information, with limited and specific exceptions, and with a right of correction and or annotation. Individuals who are not satisfied with an institution’s handling of their personal information or any matter related to a formal request made under the Privacy Act are entitled to complain to the Privacy Commissioner of Canada.
The Privacy Act’s formal processes do not replace other ways of obtaining federal government information. The CRA encourages individuals and their representatives to consider requesting information through the CRA’s website at canada.ca/en/revenue-agency.html or through the CRA’s 1-800 lines.
Table of contents
Overview of the Canada Revenue Agency
Chief Privacy Officer
Access to Information and Privacy Directorate
Access to Information and Privacy Oversight Review Committee
Delegation of responsibilities under the Privacy Act
Schedule: Privacy Act
Operational environment
Training and awareness
Policies, guidelines and procedures
Monitoring
Managing privacy breaches
Privacy impact assessments
Collaboration with oversight bodies and other organizations
Interpretation and explanation of Appendix A – Statistical report
Conclusion
Appendix A – Statistical report
Appendix B – New reporting requirement
ISSN: 2563-3465
Overview of the Canada Revenue Agency
The Canada Revenue Agency (CRA) administers tax laws for the Government of Canada and for most provinces and territories. It also administers various social and economic benefit and incentive programs delivered through the tax system. In addition, the CRA has the authority to enter into new partnerships with the provinces, territories and other government bodies (at their request and on a cost-recovery basis) to administer non‑harmonized taxes and other services. Overall, the CRA promotes compliance with Canada’s tax legislation and regulations and plays an important role in the economic and social well-being of Canadians.
The Minister of National Revenue is accountable to Parliament for all of the CRA’s activities, including administering and enforcing the Income Tax Act and the Excise Tax Act.
The Canada Revenue Agency Act provides for the establishment of a Board of Management consisting of 15 Directors appointed by the Governor in Council. They include the Chair, the Commissioner and Chief Executive Officer; a director nominated by each province; 1 director nominated by the territories; and 2 directors nominated by the Government of Canada. Under the provisions of the Canada Revenue Agency Act, the Board of Management oversees the organization and administration of the CRA, including the management of its resources, services, property, personnel and contracts. In fulfilling this role, the Board of Management brings a forward-looking strategic perspective to the CRA’s administration, fosters sound management practices and is committed to efficient and effective service delivery.
As the CRA’s Chief Executive Officer, the Commissioner is responsible for the day-to-day administration and enforcement of the program legislation that falls under the Minister’s delegated authority. The Commissioner is accountable to the Board of Management for managing the CRA, supervising employees and implementing policies and budgets. Moreover, the Commissioner must assist and advise the Minister with respect to legislated authorities, duties, functions and Cabinet responsibilities.
The CRA is made up of 13 functional branches and 5 regional offices across the country.
Branches
- Appeals
- Assessment, Benefit and Service
- Audit, Evaluation and Risk
- Collections and Verification
- Domestic Compliance Programs
- Finance and Administration
- Human Resources
- Information Technology
- International, Large Business and Investigations
- Legal Services
- Legislative Policy and Regulatory Affairs
- Public Affairs
- Service, Innovation and Integration
Regions
- Atlantic
- Ontario
- Prairie
- Quebec
- Pacific
Chief Privacy Officer
The Assistant Commissioner, Public Affairs Branch, is the CRA’s Chief Privacy Officer. The Chief Privacy Officer has a broad mandate of overseeing privacy at the CRA. To fulfill this mandate, the Chief Privacy Officer:
- oversees decisions related to privacy, including privacy impact assessments
- champions personal privacy rights, including managing internal privacy breaches, according to legislation and policy
- reports to the CRA’s senior management on the state of privacy management at the CRA at least twice a year
Access to Information and Privacy Directorate
The Access to Information and Privacy Directorate helps the CRA meet its requirements under the Access to Information Act and the Privacy Act. To fulfill this mandate, the directorate:
- responds to requests and enquiries under the Access to Information Act and the Privacy Act
- responds to consultations and complaints
- responds to and promotes informal disclosure requests
- provides advice and guidance to CRA employees on the proper management and protection of personal information under the CRA’s control
- co-ordinates the privacy impact assessment process within the CRA, including giving expert advice to CRA employees on privacy implications and options for avoiding or reducing risks
- gives training and awareness sessions on access to information and privacy
- communicates with the Treasury Board of Canada Secretariat and the offices of the information and privacy commissioners of Canada about policy and legislative requirements, complaints and audits
- fulfills corporate planning and reporting obligations, such as the CRA’s annual reports to Parliament on the administration of the Access to Information Act and the Privacy Act
The Director of the Access to Information and Privacy Directorate has the full delegated authority of the Minister of National Revenue under the Access to Information Act and the Privacy Act. The Director also manages and co-ordinates the access to information and privacy program, leads strategic planning and development initiatives, and supports the Assistant Commissioner, Public Affairs Branch and Chief Privacy Officer with the privacy governance function.
The directorate is made up of 2 main divisions: processing, and program support and training. In addition to the directorate’s headquarters office in Ottawa, there is an office in Vancouver and an office in Montréal. In fiscal year
2018–2019, an equivalent of 133 full-time employees administered the Access to Information Act and the Privacy Act.
The following chart shows the structure of the Access to Information and Privacy Directorate.
Image description
First row Director, Access to Information and Privacy (ATIP) Directorate
Middle row, first box Assistant Director, ATIP Processing, Corporate and Complex Case Division
Middle row, second box Assistant Director, ATIP Processing, Strategic Compliance Division
The two areas of responsibility of the Assistant Director, ATIP Processing, Strategic Compliance Division are listed in the two boxes below. They are: Tax Compliance Section and Operations / Training Manuals Section.
Middle row, third box Assistant Director, ATIP Processing, Legislative and HQ Operational Case Division
The two areas of responsibility of the Assistant Director, ATIP Processing, Legislative and HQ Operational Case Division are listed in the two boxes below. They are: Legislative Case Section and HQ Operations Section
Middle row, fourth box Assistant Director, ATIP Processing, Regional Operations Case Division – Vancouver
Middle row, fifth box Assistant Director, ATIP Processing, Regional Operations Case Division – Montréal
Middle row, sixth box Assistant Director, Program Support and Training Division
The two areas of responsibility of the Assistant Director, Program Support and Training Division are listed in the two boxes below. They are: Governance and Corporate Reporting Section and Business Processes Section
Access to Information and Privacy Oversight Review Committee
The Access to Information and Privacy Oversight Review Committee is an Assistant‑Commissioner‑level committee chaired by the Chief Privacy Officer. The committee was established to ensure horizontal consultation, collaboration and decision‑making on emerging access to information and privacy issues at the CRA.
Among other responsibilities, the committee reviews and approves the development, implementation and streamlining of key policies and processes related to access to information and privacy at the CRA.
Delegation of responsibilities under the Privacy Act
As head of the CRA, the Minister of National Revenue is responsible for how the CRA administers and complies with the Privacy Act, Privacy Regulations and related Treasury Board of Canada Secretariat policy instruments. Section 73 of the Privacy Act gives the Minister the authority to designate 1 or more officers or employees of the CRA to exercise or perform all or part of the Minister’s powers, duties and functions under the Act.
The CRA’s current delegation order for the Privacy Act was signed by the Minister of National Revenue on
January 14, 2016. It identifies specific provisions of the Privacy Act and its regulations that the Minister has delegated to various positions within the CRA.
The access to information and privacy Director and Assistant Directors, as well as the Managers of the processing units, approve responses to requests under the Privacy Act. Delegations are also extended to the Commissioner, the Deputy Commissioner, the Assistant Commissioner, Public Affairs Branch, and Chief Privacy Officer.
Image description
Privacy Act
Delegation Order
I, Diane Lebouthillier, Minister of National Revenue, do hereby designate, pursuant to section 73 of the Privacy Act, the officers or employees of the Canada Revenue Agency who hold the positions set out in the attached Schedule to exercise or perform the powers, duties or functions that have been given to me as head of a government institution under the provisions of the Privacy Act as set out in the Schedule.
This designation replaces all previous delegation orders.
Diane Lebouthillier
Minister of National Revenue
Signed in Ottawa, Ontario, Canada this 14th day of January, 2016
Schedule: Privacy Act
The CRA positions that are authorized to perform the powers, duties and functions given to the Minister of National Revenue as head of a government institution under the provisions of the Privacy Act and its regulations are the following:
Commissioner
- Full authority
Deputy Commissioner
- Full authority
Assistant Commissioner, Public Affairs Branch, and Chief Privacy Officer
- Full authority
Director, Access to Information and Privacy Directorate, Public Affairs Branch
- Full authority
Assistant Directors, Access to Information and Privacy Directorate, Public Affairs Branch
- Full authority with the exception of paragraphs 8(2)(j) and (m) and subsection 8(5)
Managers, Access to Information and Privacy Directorate, Public Affairs Branch
- Subsection 9(1); sections 14 and 15; paragraphs 17(2)(b) and 17(3)(b); subsections 19(1) and 19(2); sections 20 to 22 and 23 to 28; subsections 33(2),
35(1) and 35(4) of the Privacy Act; and section 9 of the Privacy Regulations.
Operational environment
As the chief administrator of federal, provincial and territorial tax laws, the CRA maintains one of the largest repositories of personal information in the Government of Canada. In addition, the CRA collects and manages the personal information for its workforce of over 40,000 individuals. Canadians trust the CRA with their personal information and the CRA takes the protection of that information very seriously. During the reporting period, in collaboration with a consulting firm, a full review of the CRA’s privacy management program took place. The recommendations resulting from the review will be implemented in fiscal year 2019–2020. For more details, see the Enhancement of the privacy management program section in this report.
The number of formal requests has increased exponentially in recent years. As a result, the inventory of requests received under the Privacy Act is at an unmanageable level. In fact, the CRA’s Access to Information and Privacy Directorate processes among the largest volume of privacy requests and pages of all federal institutions. According to the most recent Treasury Board of Canada Secretariat statistics, in fiscal year 2017–2018 the CRA processed the second largest volume of pages (over 900,000) of all federal institutions and received the seventh largest number of requests. This trend likely continued in 2018–2019, because the CRA received and completed more requests than at any point in history, with 4,789 requests received and 4,599 requests completed, requiring the review of just under 900,000 pages.
Beyond responding to this unprecedented volume of requests, most of the same resources that process these requests also process the requests received under the Access to Information Act and are responsible for other workloads including responding to consultations and complaints.
Due to this increasing demand on the access to information and privacy program, an access to information and privacy workload management plan, known as ATIP Way Forward, was developed during the reporting period and will be implemented in 2019–2020. For more details, see the ATIP Way Forward section in this report.
The following table shows the trend of requests received under the Privacy Act over the past 5 years.
Image description
Privacy Act requests trend
In 2014-2015, 2,533 requests were received, 2,313 were completed, 636,207 pages were processed
In 2015-2016, 3,048 requests were received, 2,723 were completed, 476,832 pages were processed
In 2016-2017, 3,174 requests were received, 3,400 were completed, 1,086,917 pages were processed
In 2017-2018, 3,791 requests were received, 3,821 were completed, 920,251 pages were processed
In 2018-2019, 4,789 requests were received, 4,599 were completed, 896,837 pages were processed
ATIP Way Forward, a workload management plan
In 2016–2017, an access to information and privacy inventory reduction plan was developed to address high request volumes and a backlog. Due to several short-term measures implemented in the plan, including significant use of overtime, the plan exceeded expectations to reduce the carry-forward inventory and the deemed refusal volume. Although the measures taken were effective in achieving the directorate’s short and intermediate goals, it was determined that this was not an appropriate long-term solution.
In 2018–2019, the Access to Information and Privacy Directorate’s senior management team developed a renewed inventory reduction plan: the ATIP Way Forward workload management plan. The plan is designed to build foundational capacity and sustainable, long-term solutions. The proposed solutions include:
- expediting staffing
- addressing the backlog
- addressing complaints
- establishing a data analytics team (this will include improved reporting to offices of primary interest)
- addressing technological challenges
- reviewing and implementing changes to the organizational structure of the Access to Information and Privacy Directorate, including the establishment of a centre of expertise and centralization of the front end
A project manager will lead the implementation of the plan starting at the beginning of fiscal year 2019–2020.
Staffing
In 2018–2019, the Access to Information and Privacy Directorate undertook many actions to manage the growing access to information and privacy workload including:
- researching innovative recruitment solutions
- recruiting for multiple positions
- launching 5 selection processes
- addressing acting positions
- providing developmental opportunities
Enhancement of the Privacy Management Program
In 2017–2018, the CRA commissioned a review of the way in which it manages privacy at the enterprise-wide level. This included a review of governance, policy instruments, guidance, tools, oversight, monitoring, training and communication.
The review concluded that the CRA has a strong culture around security and the protection of personal information. The review also identified areas in which improvements could be made to adapt to the changing privacy landscape.
The review’s resulting recommendations were based on Privacy by Design principles, where privacy is systemically embedded into business practices and systems. The recommendations specifically focused on:
- raising the visibility of privacy management
- driving collaboration between the Chief Privacy Officer and other CRA executives
- improving governance and controls
- reviewing organizational structure and required expertise
Modernization of the Access to Information Act and the Privacy Act
Extensive work has taken place across the CRA in preparation for the royal assent of Bill C‑58: An Act to amend the Access to Information Act and the Privacy Act and to make consequential amendments to other Acts. Although the primary focus of the bill is on the Access to Information Act, it does include related amendments to the Privacy Act.
Since the bill’s first reading in June of 2017, the CRA has held many internal briefings to ensure readiness. Leads have also been identified for each of the proactive publication requirements and collaboration has been ongoing with the CRA’s communications, language services, publishing, and legal services areas.
One of the more significant impacts of the bill on the CRA will be the requirement to post briefing note titles and tracking numbers on Canada.ca on a monthly basis. During the fiscal year, the CRA changed its processes to increase efficiency. One change was the adoption of the Treasury Board of Canada Secretariat’s routing slip so that sensitivities in the release of the titles can be identified. Training sessions were hosted across the CRA to support the smooth transition to the use of the routing slip. The revised routing slip was launched during the fiscal year.
The CRA continues to work closely with various stakeholders on the Government of Canada’s commitment to modernize the acts.
Informal disclosure
On an ongoing basis, the CRA explores ways to get information to clients in the fastest and most efficient way. One of these ways is informal disclosure. Informal disclosure is when information is provided without the need to make a request under the Access to Information Act or the Privacy Act. Examples of information provided informally are copies of tax slips and CRA policies and manuals. The Access to Information and Privacy Directorate receives a significant number of Privacy Act requests, referred to as “fast-track requests”, which could potentially be redirected to informal channels. During the fiscal year, the Access to Information and Privacy Directorate prepared extensive material in preparation for a meeting with the Office of the Privacy Commissioner of Canada, along with other government departments, to discuss ways to improve informal disclosure across government. The meeting is scheduled for the beginning of fiscal year
2019–2020.
The Directive for the Disclosure of Taxpayer and Other Information outlines the accountabilities of CRA officials for informal and formal disclosures. To supplement the directive, in 2018–2019, the CRA launched an informal disclosure course. The course is targeted to subject-matter experts who need a comprehensive understanding of the disclosure of protected information to taxpayers under program legislation. Additionally, an informal disclosure page was launched on the CRA’s intranet site; this page provides guidance and resources in support of expanded informal disclosure.
Training and awareness
Training
The Access to Information and Privacy Directorate is committed to promoting and providing access to information and privacy training to CRA employees. This training varies, depending on the needs of the employee. For instance, employees who have little or no knowledge of the subject are encouraged to take the ATIP Fundamentals course or the Access to Information in the Government of Canada course offered by the Canada School of Public Service. Subject matter experts are advised to take more specific training, such as on how to provide complete recommendations in response to requests. During the fiscal year, training was also given on Bill C-58 requirements.
The CRA’s Legal Services Branch provides specialized training on the Access to Information Act and the Privacy Act to advise CRA staff on how to prepare documents for release in CRA reading rooms, on informal disclosure and on the legal interpretation of the Access to Information Act and the Privacy Act for specialized CRA staff such as auditors.
In 2018–2019, more than 2,700 CRA employees across Canada participated in instructor‑led and online training. In total, this fiscal year:
- 1,537 employees participated in 58 training sessions given by the CRA
- 1,048 employees took the Canada School of Public Service ATIP Fundamentals online course
- 46 employees attended the Canada School of Public Service Access to Information in the Government of Canada in-class course
- 82 employees participated in specialized training given by the Legal Services Branch
The number of employees that attended online training is likely much higher than indicated above, because online training sessions are frequently attended by large groups of employees under 1 registration.
In 2017–2018, the CRA launched the first of a suite of 10 web-based modules that offer specialized technical training for access to information and privacy employees. In 2018–2019, the remaining 9 modules were launched. This series of modules is the first of its kind for access to information and privacy professionals in the Government of Canada.
In a continued effort to promote informal disclosure across the CRA, an informal disclosure page was published on the CRA’s intranet. The page provides detailed guidance and links to information on informal disclosure.
Raising awareness
In 2018–2019, beyond the work completed by the CRA to enhance its privacy management program, the Access to Information and Privacy Directorate worked on many projects to enhance employees’ awareness of their privacy-related roles and responsibilities.
For the eighth consecutive year, the CRA joined the Office of the Privacy Commissioner of Canada and many other institutions internationally to promote Data Privacy Day. On that day, individuals are informed about the impact that technology has on privacy rights and the importance of valuing and protecting personal information.
The directorate also raised awareness about access to information and privacy and the role they play in supporting sound privacy management, through multiple committee meetings and in regular communication with CRA employees, including access to information and privacy contacts, and employees in the offices of primary interest who have been identified to liaise with the Access to Information and Privacy Directorate.
Policies, guidelines and procedures
The Access to Information and Privacy Directorate dedicated significant time in 2018–2019 to the review of CRA corporate documents, including policy instruments, to make sure that the role of the CRA’s Chief Privacy Officer and privacy implications were considered.
Furthermore, the CRA continues to provide feedback to the Treasury Board of Canada Secretariat on draft corporate policy instruments and promote compliance once those policy instruments are implemented.
Changes to the CRA's privacy policy instruments are expected in 2019–2020, as a result of the implementation of the recommendations to revise its privacy management program.
Directive on Personal Information Requests and Correction of Personal Information
The Directive on Personal Information Requests and Correction of Personal Information came into effect on
October 1, 2018. As per the directive, all government institutions are required to provide a written explanation to a requester when their Privacy Act request is expected to take more than 30 days to fulfill.
This new policy requirement delivers on the Government of Canada’s Budget 2016 commitment that when a request made under the Privacy Act takes longer than 30 days to fulfill, the Government will provide a written notification of the delay to the requester.
To ensure readiness for this new directive, the Access to Information and Privacy Directorate:
- provided briefings to senior management and employees
- made changes to the procedures manual and tracking system
- incorporated monitoring of compliance with the directive into the internal monitoring and reporting process
Internal procedures manual
During the reporting period, the Access to Information and Privacy Directorate completed an updated version of its internal procedures manual. This version is the second update to the manual since 2016 and serves as a guide for all major procedures related to access to information and privacy. The purpose of the manual is to promote consistent practices across the directorate when administering the Access to Information Act and the Privacy Act. The manual serves as a main resource tool for the directorate and it reduces the time needed to train new employees. In 2019–2020, the directorate will explore the feasibility of developing an online version of the manual.
Info Source update
During the reporting period, the CRA completed a review of its Info Source chapter. Info Source provides information about the functions, programs, activities and related information holdings of government institutions subject to the Access to Information Act and the Privacy Act. Info Source also provides guidance to individuals on how to access information held by government institutions to exercise their rights under these acts.
Each institution subject to the Access to Information Act and the Privacy Act must update its Info Source chapter annually by the due date set by the Treasury Board of Canada Secretariat. In accordance with this requirement, in June of 2018, the CRA updated 15 personal information banks and 10 classes of records. In addition, the list of reading room manuals was reviewed and updated.
The CRA's Info Source chapter can be found here: canada.ca/cra-info-source.
Monitoring
The Access to Information and Privacy Directorate produces a monthly report that captures key statistical information about the CRA’s inventory of access to information and privacy requests. The report monitors active and completed requests, including pages received and processed, the carry-forward inventory, the complexity levels and deemed refusal volumes. Management regularly uses the report to monitor trends, measure the directorate’s performance and identify any process changes needed to improve performance. The report is presented monthly to senior management at the Commissioner‑chaired Agency Management Committee.
To make sure the CRA is in full compliance with the Directive on Personal Information Requests and Correction of Personal Information, regular monitoring and reporting began during the reporting period and will continue in
2019–2020.
In addition to the monitoring and reporting mechanisms in place, more extensive data analytics is required for the access to information and privacy program at the CRA. The Access to Information and Privacy Directorate’s access to information and privacy database, which is used for monitoring and reporting, is primarily designed for workload management. Improving data analytics capabilities will require upgrades to the database, tools and employee skillsets.
Through the successful submission of a business case during the fiscal year to buy SAS data analytics software, in fiscal 2019–2020, a data analytics team will:
- identify and measure the trends that are causing access to information and privacy volumes to increase
- analyze workload to identify process flow problems and evaluate the effectiveness of solutions
- identify and measure trends related to privacy compliance
- produce comprehensive reports to support business decisions and ultimately improve processes and privacy management
The establishment of the data analytics team will be done in 2 phases. Phase 1 started in 2018–2019 when the Service, Innovation and Integration Branch dedicated a team to review and evaluate the data in the Access to Information and Privacy Directorate’s tracking system. The branch assigned a data scientist to the directorate to work with business experts to determine the best approach to improve data quality and enhance the directorate’s data analytics capabilities. The directorate hired a project officer during the fiscal year to support the reporting processes.
Phase 2, which will be implemented in 2019–2020, will be dedicated to determining the appropriate strategy going forward, including identifying reporting requirements, acquiring data analytics tools, database cleanup and enhanced reporting.
Managing privacy breaches
One of the cornerstones of Canada’s tax system is the trust Canadians place in the CRA to safeguard their personal information. The CRA takes the risk of a privacy breach very seriously and keeps its controls and sanctions strong to prevent unauthorized access and disclosure. Despite the effectiveness of the many controls in place, privacy breaches sometimes occur. Effectively managing privacy breaches is critical to maintaining public confidence in the integrity of the tax system.
This year, the CRA’s Security and Internal Affairs Directorate informed the Access to Information and Privacy Directorate of 103 incidents of alleged or confirmed improper access, collection, use and disclosure of personal information by the CRA. Additionally, the Access to Information and Privacy Directorate received 44 privacy related complaints and allegations from the Office of the Privacy Commissioner of Canada and/or individuals.
In 2018–2019, the majority of privacy breaches at the CRA resulted from misdirected mail. Misdirected mail is taxpayer information that has been incorrectly addressed or directed to the wrong person and is reported to the CRA as misdirected. Misdirected mail incidents represent 0.003% of the 110 million pieces of mail handled annually by the CRA.
The CRA follows the Treasury Board of Canada Secretariat’s guidelines to determine which privacy breaches meet the threshold for notification to the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat. In 2018–2019, the CRA reported 6 material privacy breaches to the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat. Of these, 5 involved unauthorized access to taxpayer information by a CRA employee and 1 involved the unauthorized disclosure of taxpayer information.
The CRA continues to improve and evolve internal processes and systems to further protect taxpayer information. These controls include monitoring employee access to taxpayer information, limiting employees’ access permissions to only the information required to carry out their job and regularly reviewing employee access to CRA systems.
Privacy impact assessments
Canada Revenue Agency privacy impact assessment plan
The Canada Revenue Agency’s privacy impact assessment plan considers the key programs and activities of the CRA’s departmental results framework as outlined in the 2017–2019 Departmental Plan and assesses the associated privacy risks. The plan also considers the operational context outlined in the departmental plan, including the corporate risk profile that helps the CRA protect its integrity by identifying and putting plans in place to reduce risk exposure. All branches with ongoing privacy impact assessments are required to report on the progress of these assessments and corresponding action plans on a quarterly basis. The privacy impact assessment plan is evergreen and is amended as necessary to address any new priorities and activities that emerge during the planning cycle.
Since the implementation of the privacy impact assessment plan in 2014, the CRA has completed 49 assessments.
Summaries of completed privacy impact assessments
The CRA completed 12 privacy impact assessments during the 2018–2019 reporting period. In addition, a significant number of initiatives were reviewed to assess potential privacy impacts, which necessitated the review of documents such as privacy assessment determination questionnaires, threat and risk assessments, local application solutions and written collaborative arrangements.
In line with the Treasury Board of Canada Secretariat’s Directive on Privacy Impact Assessment, the CRA publishes summaries of completed privacy impact assessments on its website: canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment.
The following is an overview of the summaries of the 12 privacy impact assessments completed and sent to the Office of the Privacy Commissioner of Canada and to the Treasury Board of Canada Secretariat for review in 2018–2019:
Anonymous internal fraud and misuse reporting line v 2.0
The Anonymous Internal Fraud and Misuse Reporting line provides individuals with an anonymous, confidential and secure communication channel to report suspicions of fraudulent activity engaged in by employees and/or management. The reporting line is administered by an independent third-party contractor.
The privacy impact assessment has been updated to include the ClearView Connects™ contract extension, administrative updates such as completion of the Statement of Sensitivity and Threat and Risk Assessment and the updated Records Disposition Authorities.
For the complete privacy impact assessment summary, go to:
canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/anonymous-internal-fraud-misuse-reporting-line-v2.html.
Government of Canada Business Number Adoption: Web Validation Service v 2.0
In October 2013, the Deputy Minister of Service and Federating Identity endorsed the mandatory adoption of the business number by making it the common identifier for businesses throughout the Government of Canada. After being tasked by Innovation, Science and Economic Development Canada to develop the technical solution, the CRA established the Web Validation Service that provides federal government agencies and departments with the ability to adopt the business number as the common identifier.
The 2017 privacy impact assessment for this initiative has been updated to more accurately reflect current operating practices and incorporate the most current business number partner adopters.
For the complete privacy impact assessment summary, go to:
canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/government-canada-business-number-adoption-web-validation-service-v2.html.
Collections Tax Programs
Collections Tax Programs is responsible for collecting outstanding debts for the Government of Canada, all the provinces (except Quebec) and the territories. The types of debts collected include income tax, payroll deductions, goods and services tax / harmonized sales tax, the air travellers security charge, the softwood lumber products export charge, benefit or rebate overpayments, and duties and levies on products manufactured or services used in Canada.
This privacy impact assessment was completed to make sure that personal information is used strictly for the administrative purpose of collecting tax and non-tax debts, to identify risks to personal information within the program and to establish a risk action plan where measures to mitigate the risk are not adequate.
For the complete privacy impact assessment summary, go to:
canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/collections-tax-programs.html.
Contact Centre Operations v 2.0
Telephone enquiries call centres provide support to individuals (including benefit recipients), businesses and trusts, helping them to meet their tax obligations, become aware of benefit entitlements and receive answers to general or account-specific enquiries. Debt management call centres handle high-volume, low-complexity collections and compliance-related phone calls from across Canada.
Led by Shared Services Canada, the Government of Canada is replacing its aging contact centre infrastructure as part of the Contact Centre Transformation Initiative. This initiative will bring the contact centres of federal institution partners to the common, modernized, centrally managed, fully hosted, national Hosted Contact Centre Service platform. IBM Canada Ltd. has been contracted by Shared Services Canada to build the infrastructure that will support the Hosted Contact Centre Service. The CRA is modernizing its telephone enquiries and debt management call centres as part of this initiative in order to provide a higher standard of service to Canadians.
For the complete privacy impact assessment summary, go to:
canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/contact-centre-operations-v2.html.
Employer Accounts Program
The Employer Accounts Program is responsible for making sure that all employers deduct the required Canada Pension Plan contributions, employment insurance premiums and income tax from their employees' salary and wages. It also makes sure that employers send those deductions, along with their own share, to the CRA and that the deductions are reported correctly on the appropriate form.
The privacy impact assessment was updated to reflect the new use of a system that will enable better tracking of correspondence received from employers through the national verification and collections centres across Canada.
For the complete privacy impact assessment summary, go to:
canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/employer-accounts-program.html.
Employer Compliance Audit Program v 2.0
The Employer Compliance Audit Program is responsible for auditing employers’ books and records to ensure the proper reporting of employment income, taxable benefits and certain taxable benefits to shareholders, the withholding and sending of payroll-source deductions and the proper characterization of workers.
The privacy impact assessment was updated to reflect the new use of a system that will enable better tracking of the files. In addition, the program will start using risk assessment and research when selecting files.
For the complete privacy impact assessment summary, go to:
canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/employer-compliance-audit-v2.html.
GST/HST Returns and Rebates Processing Program
This privacy impact assessment assesses the personal information used to administer and enforce the GST/HST Returns and Rebates Processing Program, including the processing, assessment, validation, reassessment and verification of GST/HST returns. This update addresses the following recent changes to the program:
- collaborating with Revenu Québec, in response to Budget 2018 “Strengthening Digital Services,” to provide digital services to residents of Quebec that better compare to those available to the rest of Canada
- collecting and storing the Internet protocol address used to file an electronic GST/HST rebate (tentative for October 2020)
- offering an electronic GST/HST rebate filing option for individuals through My Account and Represent a Client for owner-built, new housing rebates
For the complete privacy impact assessment summary, go to:
canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/gst-hst-returns-rebates-processing-program.html.
Income Verification Services Program v 2.0
The Income Verification Services Program helps federal, provincial and territorial partners determine eligibility for income-tested programs for such things as drug cost assistance, housing, student loans and grants. The CRA promptly provides taxpayer information to these income-tested programs with the consent of the individual applicant. The proof of the applicant’s income is then sent electronically to the partner government organization, which is required to determine the applicant’s eligibility for assistance. This process allows for faster processing and reduces the wait time for applicants.
For the complete privacy impact assessment summary, go to:
canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/income-verification-services-v2.html.
Individual Refund Set-off Program
The Individual Refund Set-off Program handles tax refunds and credit payable to individuals, which can be applied to debts those individuals owe to the Crown. Any federal, provincial or territorial department, agency or Crown corporation may participate in this program, subject to the CRA’s legislative and policy requirements.
For the complete privacy impact assessment summary, go to:
canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/individual-refund-set-off-program.html.
Specialty Business Returns Program v 2.0
The Specialty Business Returns Program assesses returns, refunds and rebate applications and issues notices of assessment and reassessment for excise duties and taxes, other levies and charges, and customs duties and tariffs collected by the federal government. The program is also responsible for all activities related to the filing of partnership information returns. The privacy impact assessment was updated to include the processing of the fuel charge and cannabis returns.
For the complete privacy impact assessment summary, go to:
canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/specialty-business-returns-program-v2.html.
Trust Accounts Examination Program v 2.0
The Trust Accounts Examination Program is responsible for examining employers' books and records to ensure proper deducting, sending and reporting of income tax (federal and provincial), goods and services tax / harmonized sales tax, Canada Pension Plan contributions, employment insurance premiums, employer-provided benefits and unreported income. The program is delivered in all tax services offices across Canada. In the province of Quebec, provincial tax and Canada Pension Plan contributions are not examined, since Revenu Québec administers its pension plan and income tax.
The Trust Accounts Examination Program is running a pilot project that explores the types of trust account examination files that could be worked on more efficiently within a tax services office without the need to travel to a taxpayer’s or authorized representative’s place of business. As part of the pilot project, employers and their representatives now have the option of sending documents to the CRA electronically.
For the complete privacy impact assessment summary, go to:
canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/trust-accounts-examination-v2.html.
T3 Trust Returns Assessing Program v 2.0
The T3 Trust Returns Assessing Program includes the assessment and reassessment of trust income tax and information returns. The program checks whether amounts on a return and related schedules are supported by the required documents and verifies the accuracy of the calculations of the amounts reported on the documents. The information collected by this program is used to determine a trust’s tax payable, penalties, interest or refund and is reflected on a notice of assessment or reassessment.
The privacy impact assessment has been updated to reflect a new request from the Ministère des Finances du Québec to share with them the same data file that the CRA currently shares with Revenu Québec.
For the complete privacy impact assessment summary, go to:
canada.ca/en/revenue-agency/services/about-canada-revenue-agency-cra/protecting-your-privacy/privacy-impact-assessment/t3-trust-returns-assessing-v2.html.
Collaboration with oversight bodies and other organizations
The CRA continues to work closely with the Office of the Privacy Commissioner of Canada, the Treasury Board of Canada Secretariat and other organizations to strengthen privacy at the CRA.
Office of the Privacy Commissioner of Canada
The CRA met with the Office of the Privacy Commissioner of Canada on various subjects throughout the fiscal year, including privacy breaches and specific privacy impact assessments. The follow-up on these privacy impact assessments involved multiple discussions, meetings and presentations given by the CRA to the Office of the Privacy Commissioner of Canada.
Treasury Board of Canada Secretariat
The CRA strengthened its relationship with the Treasury Board of Canada Secretariat throughout the fiscal year by:
- collaborating on a community development initiative to develop a formal access to information and privacy network, to further meet the growing needs of access to information and privacy offices across the Public Service of Canada
- participating in a panel discussion on privacy breaches
- providing feedback on draft corporate policy instruments
- consulting with the Information and Privacy Policy Division of the Treasury Board of Canada Secretariat on a wide-range of subjects, such as policy and legal interpretation
- participating in access to information and privacy community meetings and in working groups on various privacy-related topics, including the modernization of the Privacy Act
Interpretation and explanation of Appendix A – Statistical report
Appendix A provides a statistical report on the CRA’s activities under the Privacy Act for the reporting period of April 1, 2018, to March 31, 2019. The following explains and interprets the statistical information and includes additional privacy statistics at the CRA.
Note
Some totals may be more than 100% due to rounding.
Part 1 – Requests under the Privacy Act
During the reporting period, the CRA received 4,789 new requests under the Privacy Act. This is an increase of 998 requests (26%) over last year’s total of 3,791 requests. Including the 512 requests carried forward from the 2017–2018 reporting period, the CRA had 5,301 active requests in its inventory.
The following table shows the number of requests the CRA received and completed under the Privacy Act, as well as the number of pages processed over the past 5 fiscal years. The number of requests received has nearly doubled from the 2014–2015 fiscal year.
| Fiscal year | Requests received | Requests completed | Pages processed |
|---|---|---|---|
| 2014–2015 | 2,533 | 2,313 | 636,207 |
| 2015–2016 | 3,048 | 2,723 | 476,832 |
| 2016–2017 | 3,174 | 3,400 | 1,086,917 |
| 2017–2018 | 3,791 | 3,821 | 920,251 |
| 2018–2019 | 4,789 | 4,599 | 896,837 |
Other requests and workload
Beyond the 4,789 requests received under the Privacy Act, the CRA processes a high volume of other requests. The additional volume significantly affects operations, since resources must be diverted to manage this workload. These additional requests include external and internal consultations, general enquiries, and complaints. For instance, the Program Support and Training Division of the Access to Information and Privacy Directorate responded to 4,123 emails and 972 phone enquiries received through the general enquiries mailbox and 1‑800 line.
Part 2 – Requests closed during the reporting period
Disposition
For the second straight year, the CRA completed a record number of privacy requests. The disposition of the 4,599 requests completed is as follows:
- 1,994 were fully disclosed (43%)
- 1,600 were disclosed in part (35%)
- 3 were exempted in their entirety (0.1%)
- 51 resulted in no existing records (1%)
- 950 were abandoned by requesters (21%)
- 1 was neither confirmed nor denied (0.02%)
778 (20%) more requests were completed in
2018–2019 than in
2017–2018.
The following chart shows the completion times for the 4,599 requests closed in 2018–2019.
Image description
Completion time
3,312 (72%) in 30 days or under
825 (18%) from 31 to 60 days
304 (7%) from 61 to 120 days
158 (3%) in 121 days or more
The Access to Information and Privacy Directorate completed 4,285 (93%) requests within the timelines required by law. This means that responses were provided within 30 calendar days or within an extended deadline.
For more details, see tables 2.5.1 and 2.5.2 of Appendix A.
Exemptions
The Privacy Act allows an institution to refuse access to specific information. For example, information about an individual other than the requester cannot be disclosed if the individual has not given his or her consent. Exemptions are applied by analysts to support non‑disclosure in these cases.
In 2018–2019, the CRA applied the following exemptions, in full or in part, for the 4,599 requests closed during the reporting period:
- section 19 – Personal information obtained in confidence (19 times)
- section 22 – Law enforcement and investigation (539 times)
- section 25 – Safety of individuals (1 time)
- section 26 – Information about another individual (1,301 times)
- section 27 – Solicitor-client privilege (359 times)
- section 28 – Physical or mental health of individuals (3 times)
Exclusions
The Privacy Act does not apply to information that is publicly available, such as in government publications and in libraries and museums. Also, the act does not apply to Cabinet confidences.
In 2018–2019, the CRA applied no exclusions for information that was publicly available or a Cabinet confidence.
Format of information released
Requesters can choose to receive their response package in paper, CD or DVD format. Persons with disabilities may also request information in alternative formats, such as braille, although no such requests were received this fiscal year. Providing documents electronically significantly reduces manual processes and paper consumption.
In 2018–2019, of the 3,594 requests for which information was disclosed in full or in part, 2,492 requests (69%) were released in electronic format.
Complexity
In 2018–2019, the directorate processed an average of 195 pages per request.
The Treasury Board of Canada Secretariat uses 2 criteria to define complexity: the number of pages to process, and the nature and sensitivity of the subject matter. Based on these criteria, the CRA handles a large number of complex requests.
For example, to respond to the 4,599 requests closed during the fiscal year, the CRA processed 896,837 pages. Of the 4,548 requests for which records were disclosed, 1,091 (24%) involved processing more than 100 pages: 142 of these involved processing more than 1,000 pages and 12 involved processing more than 5,000 pages including 1 request that required the review of 52,363 pages. For more details, see table 2.5.2 of Appendix A.
Other requests were considered complex because of the nature and sensitivity of the subject matter. For more details, see table 2.5.3 of Appendix A.
Deemed refusals
A deemed refusal is a request that was closed after the deadline of 30 calendar days or, if a time extension was taken, after the extended deadline.
Of the 4,599 requests closed during the reporting period, 314 were closed after the deadline, resulting in a deemed refusal rate of 7%.
The CRA consistently receives a high volume of requests, with many of them broad in scope. In addition, there are other priorities for the directorate, including responding to consultations. Despite this, the CRA completed more files this year than any time in history.
The deemed refusal rate has decreased from 9% in 2017–2018 to 7% this year.
Requests for translation
Records are normally released in the language in which they exist. However, records may be translated to an official language when requested and when the institution considers it in the public interest to do so.
There were no requests for translation received in 2018–2019.
Part 3 – Disclosures under subsection 8(2)
Subsection 8(2) of the Privacy Act provides that, subject to confidentiality provisions in other acts of Parliament, personal information may be disclosed without consent for limited and specific circumstances. For example, where the public interest in disclosure clearly outweighs any invasion of privacy.
During the reporting period, there was 1 disclosure of personal information under paragraph 8(2)(m) of the Privacy Act. As a result, the CRA notified the Privacy Commissioner of Canada in accordance with subsection 8(5) of the Privacy Act.
Part 4 – Requests for correction of personal information and notations
Under the Privacy Act, an individual may ask for any factual errors or omissions in their personal information to be corrected.
The CRA received 1 request to correct personal information during 2018–2019.
Part 5 – Extensions
The Privacy Act sets the required timelines for responding to privacy requests. Time extensions are allowed under the following circumstances:
- meeting the original time limit would unreasonably interfere with operations
- there is a need to consult (for example, with a government institution or third party)
- there is a need to translate or convert records into another format
Of the 4,599 requests closed in 2018–2019, the CRA applied extensions for 1,069 (23%) of them. Extensions were applied 99% of the time because of workload and meeting the original 30-day time limit would have resulted in unreasonable interference with CRA operations. The remaining 1% of the time was for consulting with third parties or other government institutions, as well as converting records into other formats.
Part 6 – Consultations received from other institutions and organizations
In 2018–2019, the Access to Information and Privacy Directorate closed 3 external consultation requests from other government institutions and organizations. To respond to these requests, 86 pages were reviewed. For more details, including disposition and completion times, see part 6 of Appendix A.
Over the past 5 years, there has been a 48% increase in the number of internal consultations completed.
In 2018–2019, 341 internal privacy consultation requests were completed, a 4% increase over the previous reporting period. To respond to these requests, the directorate reviewed a total of 6,899 pages. These requests are informal reviews that comply with the CRA’s informal disclosure prerequisites and do not fall under the Privacy Act.
The following table shows the increase in internal privacy consultation requests received over the past 5 years.
Image description
Internal Privacy Consultation Trends
In 2014-2015, 230 internal privacy consultation requests were received, 3,772 pages were processed.
In 2015-2016, 202 internal privacy consultation requests were received, 5,837 pages were processed.
In 2016-2017, 253 internal privacy consultation requests were received, 5,311 pages were processed.
In 2017-2018, 328 internal privacy consultation requests were received, 11,033 pages were processed.
In 2018-2019, 341 internal privacy consultation requests were received, 6,899 pages were processed.
Part 7 – Completion time of consultations on Cabinet confidences
Although Cabinet confidences are excluded from the application of the Privacy Act (section 70), the policies of the Treasury Board of Canada Secretariat require agencies and departments to consult with their legal services office to determine if requested information should be excluded. If there is any doubt or if records contain discussion papers, legal counsel must consult the Office of the Counsel to the Clerk of the Privy Council Office.
In 2018–2019, the CRA did not apply any exclusions for Cabinet confidences.
Part 8 – Complaints and investigation notices received
In 2018–2019, the CRA received 47 complaints under the Privacy Act and closed 21 complaints. This represents a 62% increase in the number of complaints received from the previous reporting period and a 19% decrease in the number of complaints completed.
No complaints were pursued to the Federal Court.
The following chart shows the disposition of the complaints closed during the fiscal year.
Image description
Complaint dispositions
2 (9%) Discontinued
4 (19%) Early resolution
1 (5%) Not well-founded
1 (5%) Resolved
13 (62%) Well-founded
For definitions of the disposition categories, go to: priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-federal-institutions/def-pa/.
Part 9 – Privacy impact assessments
During the reporting period, the CRA sent 12 privacy impact assessments to the Office of the Privacy Commissioner of Canada and the Treasury Board of Canada Secretariat. Information on those assessments is given earlier in this report.
Part 10 – Resources related to the Privacy Act
Costs
During the fiscal year of 2018–2019, the Access to Information and Privacy Directorate’s direct cost to administer the Privacy Act was $6,723,710. This does not include significant support and resources from the branches and regions. For more details, see table 10.1 in Appendix A.
Human resources
In 2018–2019, an equivalent of 80.50 full-time employees were dedicated to administering the Privacy Act.
Conclusion
The CRA takes privacy and the safeguarding of personal information very seriously.
In 2018–2019, the CRA continued to make significant progress in addressing challenges by:
- developing the ATIP Way Forward workload management plan
- collaborating with partners across the CRA to make sure privacy implications were considered for new or revised initiatives that involved personal information
- finalizing the review of the privacy management program and hiring a consulting firm to implement the recommendations
- preparing for royal assent of Bill C-58
- collaborating with the Treasury Board of Canada Secretariat and other federal agencies and departments to explore the feasibility of establishing an access to information and privacy community office
In 2019–2020, the CRA will continue its work to safeguard personal information and improve efficiencies in operations by implementing recommendations within the CRA’s revised privacy management program, implementing the ATIP Way Forward plan, submitting a business case to secure resources, continuing to work on the privacy impact assessment plan, and continuing to work closely with various stakeholders on the Government’s commitment to modernize the Privacy Act.
Appendix A – Statistical report
Statistical report on the Privacy Act
Name of institution: Canada Revenue Agency
Reporting period: April 1, 2018 to March 31, 2019
Part 1 – Requests under the Privacy Act
1.1 Number of requests
| Requests | Number of requests |
|---|---|
| Total | 5,301 |
| Received during reporting period | 4,789 |
| Outstanding from previous reporting period | 512 |
| Requests | Number of requests |
|---|---|
| Total | 5,301 |
| Closed during reporting period | 4,599 |
| Carried over to next reporting period | 702 |
Part 2 – Requests closed during the reporting period
2.1 Disposition and completion time
| Disposition of requests |
1 to 15 days | 16 to 30 days | 31 to 60 days | 61 to 120 days | 121 to 180 days | 181 to 365 days | More than 365 days | Total |
|---|---|---|---|---|---|---|---|---|
All exempted |
0 |
0 |
0 |
3 |
0 |
0 |
0 |
3 |
All excluded |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
No records exist |
14 |
22 |
9 |
2 |
2 |
2 |
0 |
51 |
Request abandoned |
863 |
39 |
32 |
5 |
1 |
3 |
7 |
950 |
Neither confirmed nor denied |
0 |
1 |
0 |
0 |
0 |
0 |
0 |
1 |
Total |
1,206 |
2,106 |
825 |
304 |
52 |
69 |
37 |
4,599 |
All disclosed |
290 |
1,376 |
273 |
49 |
3 |
3 |
0 |
1,994 |
Disclosed in part |
39 |
668 |
511 |
245 |
46 |
61 |
30 |
1,600 |
2.2 Exemptions
| 18(2) | |
| 19(1)(a) | |
| 19(1)(b) | |
| 19(1)(c) | |
| 19(1)(d) | |
| 19(1)(e) | |
| 19(1)(f) | |
| 20 | |
| 21 | |
| 22(1)(a)(i) | |
| 22(1)(a)(ii) | |
| 22(1)(a)(iii) | |
| 22(1)(b) | |
| 22(1)(c) | |
| 22(2) | |
| 22.1 | |
| 22.2 | |
| 22.3 | |
| 23(a) | |
| 23(b) | |
| 24(a) | |
| 24(b) | |
| 25 | |
| 26 | |
| 27 | |
| 28 |
2.3 Exclusions
| 69(1)(a) | |
| 69(1)(b) | |
| 69.1 | |
| 70(1) | |
| 70(1)(a) | |
| 70(1)(b) | |
| 70(1)(c) | |
| 70(1)(d) | |
| 70(1)(e) | |
| 70(1)(f) | |
| 70.1 |
2.4 Format of information released
| Disposition | Paper | Electronic | Other formats |
|---|---|---|---|
Total |
1,102 |
2,492 |
0 |
All disclosed |
839 |
1,155 |
0 |
Disclosed in part |
263 |
1,337 |
0 |
| Disposition of requests | Number of pages processed | Number of pages disclosed | Number of requests |
|---|---|---|---|
All exempted |
670 |
0 |
3 |
All excluded |
0 |
0 |
0 |
Request abandoned |
15,075 |
12,162 |
950 |
Neither confirmed nor denied |
0 |
0 |
1 |
Total |
896,837 |
735,414 |
4,548 |
All disclosed |
76,208 |
76,208 |
1,994 |
Disclosed in part |
804,884 |
647,044 |
1,600 |
| Disposition of requests | Number of requests | Pages disclosed |
All exempted |
3 |
0 |
All excluded |
0 |
0 |
Request abandoned |
945 |
85 |
Neither confirmed nor denied |
1 |
0 |
Total |
3,457 |
87,368 |
| All disclosed | 1,878 |
57,022 |
| Disclosed in part | 630 |
30,261 |
101 - 500 pages processed
| Disposition of requests | Number of requests | Pages disclosed |
|---|---|---|
All exempted |
0 |
0 |
All excluded |
0 |
0 |
Request abandoned |
1 |
101 |
Neither confirmed nor denied |
0 |
0 |
Total |
752 |
161,233 |
All disclosed |
113 |
17,328 |
Disclosed in part |
638 |
143,804 |
501 - 1000 pages processed
| Disposition of requests | Number of requests | Pages disclosed |
|---|---|---|
All exempted |
0 |
0 |
All excluded |
0 |
0 |
Request abandoned |
1 |
505 |
Neither confirmed nor denied |
0 |
0 |
Total |
185 |
129,360 |
All disclosed |
3 |
1,858 |
Disclosed in part |
181 |
126,997 |
1001 - 5000 pages processed
| Disposition of requests | Number of requests | Pages disclosed |
|---|---|---|
All exempted |
0 |
0 |
All excluded |
0 |
0 |
Request abandoned |
2 |
5,635 |
Neither confirmed nor denied |
0 |
0 |
Total |
142 |
238,442 |
All disclosed |
0 |
0 |
Disclosed in part |
140 |
232,807 |
More than 5000 pages processed
| Disposition of requests | Number of requests | Pages disclosed |
|---|---|---|
All exempted |
0 |
0 |
All excluded |
0 |
0 |
Request abandoned |
1 |
5,836 |
Neither confirmed nor denied |
0 |
0 |
Total |
12 |
119,011 |
All disclosed |
0 |
0 |
Disclosed in part |
11 |
113,175 |
| Disposition of requests | Consultation required | Legal advice sought | Interwoven information | Other | Total |
|---|---|---|---|---|---|
All exempted |
0 |
2 |
0 |
0 |
2 |
All excluded |
0 |
0 |
0 |
0 |
0 |
Request abandoned |
1 |
8 |
9 |
23 |
41 |
Neither confirmed nor denied |
0 |
0 |
0 |
0 |
0 |
Total |
6 |
15 |
17 |
33 |
71 |
All disclosed |
0 |
5 |
2 |
3 |
10 |
Disclosed in part |
5 |
0 |
6 |
7 |
18 |
2.6 Deemed refusals
2.6.1 Reasons for not meeting statutory deadline
| Number of requests closed past the statutory deadline |
Principal reason - Workload |
Principal reason - External consultation |
Principal reason - Internal consultation |
Principal reason - Other |
|---|---|---|---|---|
314 |
288 |
5 |
5 |
16 |
2.6.2 Number of days past deadline
| Number of days past deadline | Number of requests past deadline where no extension was taken | Number of requests past deadline where an extension was taken | Total |
|---|---|---|---|
31 to 60 |
18 |
35 |
53 |
61 to 120 |
36 |
29 |
65 |
121 to 180 |
12 |
26 |
38 |
181 to 365 |
15 |
30 |
45 |
More than 365 |
19 |
12 |
31 |
Total |
126 |
188 |
314 |
1 to 15 |
13 |
39 |
52 |
16 to 30 |
13 |
17 |
30 |
2.7 Requests for translation
| Translation requests | Accepted | Refused | Total |
|---|---|---|---|
| Total | 0 | 0 | 0 |
| English to French | 0 | 0 | 0 |
| French to English | 0 | 0 | 0 |
Part 3 – Disclosures under subsections 8(2) and 8(5)
| Paragraph 8(2)(e) | Paragraph 8(2)(m) | Subsection 8(5) | Total |
|---|---|---|---|
| 0 | 1 | 1 | 2 |
Part 4 – Requests for correction of personal information and notations
| Disposition for correction requests received | Number |
|---|---|
| Total | 1 |
| Notations attached | 1 |
| Requests for correction accepted | 0 |
Part 5 – Extensions
5.1 Reasons for extensions and disposition of requests
| Disposition of requests | 15(a)(i) Interference with operations | 15(a)(ii) consultation - Section 70 | 15(a)(ii) consultation - Other | 15(b) translation or conversion |
|---|---|---|---|---|
All exempt |
0 |
0 |
0 |
0 |
All excluded |
0 |
0 |
0 |
0 |
No records exist |
15 |
0 |
0 |
0 |
Request abandoned |
28 |
0 |
0 |
0 |
Total |
1,061 |
0 |
2 |
6 |
All disclosed |
260 |
0 |
0 |
0 |
Disclosed in part |
758 |
0 |
2 |
6 |
5.2 Length of extensions
| Length of extensions | 15(a)(i) Interference with operations | 15(a)(ii) consultation - Section 70 | 15(a)(ii) consultation - Other | 15(b) Translation or conversion |
|---|---|---|---|---|
| Total | 1,061 |
0 |
2 |
6 |
1 to 15 days |
4 |
0 |
0 |
0 |
16 to 30 days |
1,057 |
0 |
2 |
6 |
Part 6 – Consultations received from other institutions and organizations
6.1 Consultations received from other government institutions and organizations
| Consultations |
Other government institutions |
Number of pages to review |
Other organizations |
Number of pages to review |
|---|---|---|---|---|
Total |
3 |
86 |
0 |
0 |
Received during the reporting period |
2 |
39 |
0 |
0 |
Outstanding from the previous reporting period |
1 |
47 |
0 |
0 |
| Consultations |
Other government institutions |
Number of pages to review |
Other organizations |
Number of pages to review |
|---|---|---|---|---|
Total |
3 |
86 |
0 |
0 |
Closed during the reporting period |
3 |
86 |
0 |
0 |
Pending at the end of the reporting period |
0 |
0 |
0 |
0 |
6.2 Recommendations and completion time for consultations received from other Government institutions
| Recommendations | Completion time - 1 to 15 days |
Completion time - 16 to 30 days |
Completion time - 31 to 60 days |
Completion time - 61 to 120 days |
Completion time - 121 to 180 days |
Completion time - 181 to 365 days |
Completion time - More than 365 days |
Total |
Exempt entirely |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
Exclude entirely |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
Consult other institution |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
Other |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
Total |
0 |
3 |
0 |
0 |
0 |
0 |
0 |
3 |
Disclose entirely |
0 |
1 |
0 |
0 |
0 |
0 |
0 |
1 |
Disclose in part |
0 |
2 |
0 |
0 |
0 |
0 |
0 |
2 |
6.3 Recommendations and completion time for consultations received from other organizations
| Recommendation | Completion time - 1 to 15 days |
Completion time - 16 to 30 days |
Completion time - 31 to 60 days |
Completion time - 61 to 120 days |
Completion time - 121 to 180 days |
Completion time - 181 to 365 days |
Completion time - More than 365 days |
Total |
| Exempt entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Exclude entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Consult other organization | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Other | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Disclose entirely | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Disclose in part | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Part 7 – Completion time of consultations on Cabinet confidences
7.1 Requests with Legal Services
| Number of days |
Less than 100 pages processed - Number of requests | Less than 100 pages processed - Pages disclosed | 101 - 500 pages processed - Number of requests |
101 - 500 pages processed - Pages disclosed |
501 - 1000 pages processed - Number of requests |
501 - 1000 pages processed - Pages disclosed |
1001 - 5000 pages processed - Number of requests |
1001 - 5000 pages processed - Pages disclosed |
More than 5000 pages processed - Number of requests |
More than 5000 pages processed - Pages disclosed |
| 61 to 120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 121 to 180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 181 to 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| More than 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 1 to 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16 to 30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 31 to 60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
7.2 Requests with Privy Council Office
| Number of days |
Less than 100 pages processed - Number of requests |
Less than 100 pages processed - Pages disclosed |
101 - 500 pages processed - Number of requests |
101 - 500 pages processed - Pages disclosed |
501 - 1000 pages processed - Number of requests |
501 - 1000 pages processed - Pages disclosed |
1001 - 5000 pages processed - Number of requests |
1001 - 5000 pages processed - Pages disclosed |
More than 5000 pages processed - Number of requests |
More than 5000 pages processed - Pages disclosed |
| 31 to 60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 61 to 120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 121 to 180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 181 to 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| More than 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 1 to 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16 to 30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Part 8 – Complaints and investigations notices received
| Section 31 | Section 33 | Section 35 | Court action | Total |
|---|---|---|---|---|
| 47 | 0 | 21 | 0 | 68 |
Part 9 – Privacy impact assessments (PIAs)
| Number of PIA(s) completed | 12 |
| Expenditures | Amounts |
|---|---|
|
$350,490 |
|
$341,403 |
| Total | $6,723,710 |
| Salaries | $5,796,583 |
| Overtime | $235,234 |
| Goods and Services - Total | $691,893 |
10.2 Human resources
| Resources | Person years dedicated to privacy activities |
|---|---|
| Regional staff | 0.00 |
| Consultants and agency personnel | 2.00 |
| Students | 1.50 |
| Total | 80.50 |
| Full-time employees | 77.00 |
| Part-time and casual employees | 0.00 |
Appendix B – New reporting requirement
Statistical report on the Privacy Act
Name of institution: Canada Revenue Agency
Reporting period: April 1, 2018 to March 31, 2019
In 2018–2019, the Treasury Board of Canada Secretariat included a new requirement to report on the following exemptions.
|
|
|
|---|---|
| 22.4 National Security and Intelligence Committee |
|
| 27.1 Patent or Trademark privilege |
|
Page details
- Date modified: